package cn.msqweb.config;

import cn.msqweb.constant.BusinessEnum;
import cn.msqweb.filter.TokenTeansLationFilter;
import cn.msqweb.model.Result;
import cn.msqweb.util.JsonUtils;
import cn.msqweb.util.ResponseUtils;
import jakarta.annotation.Resource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;


@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfig{

    @Resource
    private TokenTeansLationFilter tokenTeansLationFilter;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {

        return httpSecurity
                .csrf(csrf -> csrf.disable())
                .cors(cors -> cors.disable())
                .sessionManagement(
                        sessionManagement -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .exceptionHandling(exceptionHandling -> {
//                    exceptionHandling.authenticationEntryPoint(authenticationEntryPoint());
                    exceptionHandling.accessDeniedHandler(accessDeniedHandler());
                })
                .addFilterBefore(tokenTeansLationFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/v2/api-docs",  // swagger
                            "/v3/api-docs",
                            "/swagger-resources/configuration/ui",  //用来获取支持的动作
                            "/swagger-resources",                   //用来获取api-docs的URI
                            "/swagger-resources/configuration/security",//安全选项
                            "/webjars/**",
                            "/swagger-ui/**",
                            "/druid/**",
                            "/actuator/**").permitAll().anyRequest().authenticated();
                })
                .build();

    }
    /**
     * 处理没有token的请求
     * @return
     */
    @Bean
    public AuthenticationEntryPoint authenticationEntryPoint(){
        return (request, response, authException) -> {
            Result<Object> fail = Result.fail(BusinessEnum.UN_AUTHORIZATION);
            ResponseUtils.weter(response, JsonUtils.objToJson(fail));
        };
    }

    /**
     * 权限不足的处理器
     * @return
     */
    @Bean
    public AccessDeniedHandler accessDeniedHandler(){
        return (request, response, accessDeniedException) -> {
            Result<Object> fail = Result.fail(BusinessEnum.ACCESS_DENY_FAIL);
            ResponseUtils.weter(response, JsonUtils.objToJson(fail));
        };
    }

}
